b'February 2007\nReport No. 07-005\n\n\nInformation Technology Examination\nCoverage of Financial Institutions\xe2\x80\x99\nOversight of Technology Service\nProviders\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                                  Report No. 07-005\n                                                                                                     February 2007\n\n\n\n                                      Information Technology Examination Coverage of Financial\n                                      Institutions\xe2\x80\x99 Oversight of Technology Service Providers\n                                      Results of Audit\nBackground and                        The FDIC has provided guidance to examiners to assess financial institutions\xe2\x80\x99\nPurpose of Audit                      oversight of TSPs. In particular, the IT-RMP guidance requires examiners to\n                                      consider the interagency guidelines in scoping examinations but does not detail\nIn the first 10 months of             examination procedures to assess compliance with the key controls over TSPs.\n2006, over half of the 213            Two of the four IT-RMP tools could be enhanced to provide information and\ninformation security breaches         examination procedures for assessing the risks associated with protecting the\nreported by financial institutions    security and confidentiality of sensitive customer information when FDIC-\nto the FDIC involved technology\n                                      supervised institutions use TSPs. Specifically, the IT-RMP Officer\xe2\x80\x99s\nservice providers (TSP). In\naccordance with federal laws and      Questionnaire, completed by institution management, could request information\nregulations, financial institutions   about the financial institution\xe2\x80\x99s key controls over TSPs. Additionally, guidance in\nmust safeguard sensitive customer     the Snapshot Work Program could specifically address key controls related to due\ninformation against unauthorized      diligence in the selection of TSPs, contract provisions, and ongoing monitoring of\ndisclosure when outsourcing           TSPs.\nvarious information technology\n(IT) operations to TSPs.              All 12 examinations in our sample included assessments of the financial\n                                      institutions\xe2\x80\x99 oversight of TSPs as required by the IT-RMP, and most provided at\nInteragency guidelines contained      least some coverage of the key controls in the interagency guidelines. However,\nin Part 364 of the FDIC Rules and\n                                      documentation for 10 of the 12 examinations did not contain sufficient written\nRegulations establish key controls\nover TSPs, noting that each bank      support that examiners had fully assessed institutions\xe2\x80\x99 compliance with the\nshall (1) exercise due diligence in   interagency guidelines regarding oversight of TSP protection of sensitive customer\nselecting TSPs, (2) have              information. The IT-RMP Snapshot Work Program provides examiners\ncontractual arrangements with         considerable flexibility in tailoring IT examination procedures to the institution\ntheir TSPs that require appropriate   being examined and does not specifically require examiners to test or document\nmeasures to safeguard customer        the extent of an institution\xe2\x80\x99s oversight of TSPs.\ninformation, and (3) provide\nongoing monitoring of TSPs to         The FDIC can achieve greater assurance that financial institutions are ensuring that\nensure they have satisfied their      TSPs safeguard customer information by enhancing IT-RMP guidance and IT\ncontractual obligations. To ensure\n                                      examination documentation. Such assurance will help in protecting customers\nthat FDIC-supervised financial\ninstitutions implement adequate       from identity theft and institutions from fraud and reputational and other risks\ninformation security program          associated with unauthorized access to or use of customer information.\ncontrols, the FDIC conducts\nperiodic onsite IT examinations       Recommendations and Management Response\nthrough its Information\nTechnology-Risk Management            The report makes two recommendations that the FDIC: (1) revise IT-RMP\nProgram (IT-RMP).                     guidance to ensure that examiners adequately assess financial institution\n                                      compliance with the interagency guidelines pertaining to the oversight of TSPs and\nThe objective of this audit was to    (2) reemphasize the need for examiners to clearly document decisions and\nassess the Division of Supervision\n                                      supporting logic for the approach used in assessing compliance with the\nand Consumer Protection\xe2\x80\x99s (1) IT\nexamination procedures for            interagency guidelines related to TSPs as well as support for examiner\naddressing the security of            conclusions. FDIC management agreed with both recommendations, noting that it\nsensitive customer information        is planning to evaluate the first year of performance under the IT-RMP. This\nwhen FDIC-supervised                  evaluation will incorporate our recommendations, and the FDIC will issue\ninstitutions use TSPs and             additional guidance where necessary. Additionally, the FDIC will reemphasize\n(2) examiners\xe2\x80\x99 implementation of      examination documentation requirements to examiners.\nthose procedures.\n_______________________\nTo view the full report, go to\nwww.fdicig.gov/2007reports.asp\n\x0c                           TABLE OF CONTENTS\n\n\nBACKGROUND                                            1\n Statutory and Regulatory Guidance                    2\n Institution Guidance                                 3\n Examiner Guidance                                    3\n Reported Breaches of Security Related to Customer    5\n Information\n\nRESULTS OF AUDIT                                      5\n\nIT-RMP GUIDANCE ON FINANCIAL INSTITUTIONS\xe2\x80\x99            6\nCONTROLS OVER TSPs\n  Officer\xe2\x80\x99s Questionnaire                             6\n  Snapshot Work Program                               7\n\nEXAMINER IMPLEMENTATION OF IT-RMP GUIDANCE            9\nON FINANCIAL INSTITUTIONS\xe2\x80\x99 CONTROLS OVER TSPs\n Documentation of Examiner Procedures                 9\n Due Diligence                                       10\n Contract Provisions                                 10\n Ongoing Monitoring                                  12\n\nCONCLUSION                                           13\n\nRECOMMENDATIONS                                      14\n\nCORPORATION COMMENTS AND OIG EVALUATION              14\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY        15\n\nAPPENDIX II: SELECTED LAWS, REGULATIONS, AND         19\nGUIDANCE RELATED TO TSP PROTECTION OF\nCUSTOMER INFORMATION\n\nAPPENDIX III: ANALYSIS OF EXAMINER                   23\nDOCUMENTATION OF INSTITUTION COMPLIANCE WITH\nINTERAGENCY GUIDELINES IN RELATION TO THREE\nKEY CONTROL AREAS\n\nAPPENDIX IV: SUMMARY ANALYSIS OF EXAMINER            25\nDOCUMENTATION OF INSTITUTION COMPLIANCE WITH\nINTERAGENCY GUIDELINES IN RELATION TO THREE\nKEY CONTROL AREAS\n\nAPPENDIX V: CORPORATION COMMENTS                     26\n\nAPPENDIX VI: MANAGEMENT RESPONSE TO                  28\nRECOMMENDATIONS\n\x0cACRONYMS\n\nC.F.R.     Code of Federal Regulations\nDSC        Division of Supervision and Consumer Protection\nFACT       Fair and Accurate Credit Transactions\nFDI        Federal Deposit Insurance\nFDIC       Federal Deposit Insurance Corporation\nFFIEC      Federal Financial Institutions Examination Council\nFIL        Financial Institution Letter\nGLBA       Gramm-Leach-Bliley Act\nIT         Information Technology\nIT-RMP     Information Technology-Risk Management Program\nMERIT      Maximum Efficiency, Risk-Focused, Institution Targeted\nOCC        Office of the Comptroller of the Currency\nOIG        Office of Inspector General\nOTS        Office of Thrift Supervision\nRDM        Regional Directors Memorandum\nROE        Report of Examination\nTSP        Technology Service Provider\nU.S.C.     United States Code\n\x0cFederal Deposit Insurance Corporation                                                             Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                              Office of Inspector General\n\n\nDATE:                                     February 5, 2007\n\nMEMORANDUM TO:                            Sandra L. Thompson, Director\n                                          Division of Supervision and Consumer Protection\n\n\n                                          /Signed/\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  Information Technology Examination Coverage\n                                          of Financial Institutions\xe2\x80\x99 Oversight of Technology\n                                          Service Providers (Report No. 07-005)\n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) second audit in\na series of audits pertaining to the FDIC\xe2\x80\x99s oversight of technology service providers\n(TSP). 1 The overall purpose of these audits is to assess the FDIC\xe2\x80\x99s examination coverage\nof TSPs and related efforts to protect sensitive customer information. 2 Our prior audit\nassessed the FDIC\xe2\x80\x99s process for identifying and monitoring TSPs used by FDIC-\nsupervised institutions and for prioritizing examination coverage of TSPs. 3 For the\ncurrent audit, our objective was to assess the Division of Supervision and Consumer\nProtection\xe2\x80\x99s (DSC) (1) information technology (IT) examination procedures for\naddressing the security of sensitive customer information 4 when FDIC-supervised\ninstitutions use TSPs and (2) examiners\xe2\x80\x99 implementation of those procedures.\nAppendix I of this report details our objective, scope, and methodology.\n\nBACKGROUND\n\nIn accordance with federal laws and regulations (see Appendix II for additional\ninformation), financial institutions must safeguard sensitive customer information against\nunauthorized disclosure or use. The FDIC is responsible for examining FDIC-supervised\nfinancial institutions for adherence to these laws and regulations as part of its legislative\n1\n  According to Interagency Guidelines Establishing Information Security Standards (Appendix B to Part\n364 of the FDIC Rules and Regulations), service provider \xe2\x80\x9c. . . means any person or entity that maintains,\nprocesses, or otherwise is permitted access to customer information through its provision of services\ndirectly to the bank.\xe2\x80\x9d\n2\n  Sensitive customer information is defined by Appendix B to Part 364 of the FDIC Rules and Regulations\nas a customer\xe2\x80\x99s Social Security number, personal identification number, password, or account number in\nconjunction with a personal identifier such as the customer\xe2\x80\x99s name, address, or telephone number. Such\ninformation would also include any combination of components of a customer\xe2\x80\x99s information such as a user\nname and password that would allow someone to log onto or access another person\xe2\x80\x99s account.\n3\n  OIG Report No. 06-015, FDIC\xe2\x80\x99s Oversight of Technology Service Providers, issued in July 2006.\n4\n  Security of customer information differs from financial privacy in that security measures are designed to\nsafeguard against unauthorized access to or use of customer information, while financial privacy rules\naddress a financial institution\xe2\x80\x99s ability to disclose data.\n\x0cmandate to maintain stability and public confidence in the nation\xe2\x80\x99s financial system.\nMany financial institutions outsource various IT operations to TSPs. However, a\nfinancial institution\xe2\x80\x99s use of a TSP to provide needed products and services does not\ndiminish the responsibility of the institution\xe2\x80\x99s board of directors and management to\nensure that these activities are conducted in a safe and sound manner and in compliance\nwith applicable laws and regulations. According to FDIC IT examination guidance, TSP\nrelationships should be subject to the same or greater risk management, security, privacy,\nand other internal controls and policies that would be expected if the financial institution\nwere conducting the activities directly.\n\nStatutory and Regulatory Guidance\n\nThe primary federal law governing the protection of sensitive customer information is the\nGramm-Leach-Bliley Act (GLBA), Public Law 106-102. GLBA, enacted in 1999,\nrequires financial institutions to protect the security and confidentiality of customer\ninformation. Under GLBA, each federal banking agency is required to establish\nappropriate standards for the financial institutions subject to their jurisdiction that would\nserve to:\n\n\xe2\x80\xa2   ensure the security and confidentiality of customer records;\n\n\xe2\x80\xa2   protect against anticipated threats or hazards to the security or integrity of such\n    records; and\n\n\xe2\x80\xa2   protect against unauthorized access to or use of such records which would result in\n    substantial harm or inconvenience to any customer.\n\nTo that end, in 2001 the federal banking agencies promulgated the Interagency\nGuidelines Establishing Information Security Standards (Interagency Guidelines),\ncodified in the FDIC Rules and Regulations at 12 Code of Federal Regulations (C.F.R.)\nPart 364, Appendix B. Pursuant to the Interagency Guidelines, each bank must\nimplement a customer information security program that includes administrative,\ntechnical, and physical safeguards appropriate to the size and complexity of the bank and\nthe nature and scope of its activities. The security program must include a written plan\nthat identifies key risks and controls related to the protection of customer information.\nSection III of the Interagency Guidelines notes that while\noverseeing service provider arrangements, each financial                   Key Controls in the\ninstitution shall:                                                        Customer Information\n                                                                            Security Program\n                                                                            Applicable to TSPs\n\xe2\x80\xa2   exercise appropriate due diligence in selecting its TSPs;\n                                                                           9 Due Diligence\n\xe2\x80\xa2   require its service providers, by contract, to implement               9 Contract Provisions\n    appropriate measures designed to meet the objectives of the            9 Ongoing Monitoring\n    Interagency Guidelines; and                                         Source: 12 C.F.R. Part 364.\n\n\n\n\n                                              2\n\x0c\xe2\x80\xa2    where indicated by the bank\xe2\x80\x99s risk assessment, monitor its TSPs to confirm that they\n     have satisfied their obligations to implement appropriate security measures for\n     customer information. As part of this monitoring, financial institutions should review\n     audits, summaries of test results, or other equivalent evaluations of their TSPs.\n\nInstitution Guidance\n\nThe FDIC, in conjunction with the Federal Financial Institutions Examination Council\n(FFIEC) 5 has issued various Financial Institution Letters (FIL) addressing the\noutsourcing of technology services by financial institutions (see Appendix II).\n\nOf particular note, the FDIC issued FIL-22-2001 6 in March 2001 to introduce the\nrequirements of the Interagency Guidelines to the financial institutions it supervises. The\nFIL noted that the Interagency Guidelines describe the oversight role of an institution\'s\nboard of directors in the process for creating, implementing, and maintaining an\ninformation security program for safeguarding customer information and its continuing\nduty to evaluate and oversee the program\xe2\x80\x99s overall status. Further, the FIL stated that the\nInteragency Guidelines describe the elements of a comprehensive risk-management plan\nto control risks to the security and confidentiality of customer information and identify\nthe factors an institution should consider in evaluating the adequacy of its policies and\nprocedures related to protecting customer information. The FIL states that institutions\nshould exercise appropriate management of outsourcing arrangements, including\nconfirming that service providers have implemented effective information security\nprograms to protect customer information.\n\nAlso, the FDIC issued FIL-68-2001 7 in August 2001 to introduce examination\nprocedures designed to help ensure institution compliance with customer safeguards in\nthe Interagency Guidelines and to ensure that the standards established in the Interagency\nGuidelines are applied consistently. FIL-68-2001 provided extensive coverage of GLBA\nrequirements and included key questions related to measures taken by an institution to\noversee service providers. The procedures cover all three of the key controls related to\nTSPs as identified by the Interagency Guidelines.\n\nExaminer Guidance\n\nDSC generally conducts IT examinations in conjunction with risk management\nexaminations every 12 or 18 months, depending on the asset size and condition of the\ninstitution. In 2005, DSC updated its risk-focused IT examination procedures for FDIC-\nsupervised financial institutions. Specifically, DSC issued Regional Directors\nMemorandum (RDM 2005-031), Information Technology-Risk Management Program\n(IT-RMP), on August 15, 2005. 8 The previous process focused on broad-based\n5\n  In addition to the FDIC, the FFIEC includes the Federal Reserve Board, National Credit Union\nAdministration, Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS).\n6\n  Entitled, Security Standards for Customer Information.\n7\n  Entitled, 501(b) Examination Guidance.\n8\n  The IT-RMP replaced the former IT-Maximum Efficiency, Risk-Focused, Institution Targeted\n(IT-MERIT) program and related work programs.\n\n\n                                                   3\n\x0ctechnology and control reviews, while the IT-RMP places considerable emphasis on\nmanagement, information security program content, and confirmations and assurances\nobtained through audit or independent review. The IT-RMP integrates with other\nexamination activities by embedding the results of the IT examination within the risk\nmanagement Report of Examination (ROE), which documents the results of safety and\nsoundness examinations of FDIC-supervised financial institutions, regardless of\ninstitution size, technical complexity, or prior examination rating. 9\n\nUnder the IT-RMP, a review of the Interagency Guidelines is mandatory for each\nexamination, including a review of the controls pertaining to TSPs. The IT-RMP\ncontains four tools to assist examiners in an examination.\n                                                                 Key Tools of the IT-RMP\nThe two primary tools that examiners use to assess a\nfinancial institution\xe2\x80\x99s oversight of TSPs are the IT            9 Technology Profile Script\nExamination Officer\xe2\x80\x99s Questionnaire (Officer\xe2\x80\x99s                  9 IT Summary Analysis\nQuestionnaire) and the IT Examination Snapshot Work             9 Officer\xe2\x80\x99s Questionnaire\nProgram (Snapshot Work Program).                                9 Snapshot Work Program\n\n                                                                   Source: FDIC IT-RMP Guidance.\n\xe2\x80\xa2    Officer\xe2\x80\x99s Questionnaire - This examiner risk-\n     scoping tool is required to be completed by institution\n     management and is used to collect key information\n     about the institution\xe2\x80\x99s IT environment prior to an IT examination. The questionnaire\n     represents the financial institution\xe2\x80\x99s self-assessment of its information security\n     program and contains a series of questions, primarily in a \xe2\x80\x9cyes/no\xe2\x80\x9d format. The\n     Officer\xe2\x80\x99s Questionnaire is organized as follows:\n\n              Part 1, Risk Assessment\n              Part 2, Operations Security and Risk Management\n              Part 3, Audit/Independent Review Program\n              Part 4, Disaster Recovery and Business Continuity\n              Part 5, Gramm-Leach-Bliley Act/FDIC Rules and Regulations-12\n              CFR Part 364, Appendix B\n\n    The assessment of an institution\xe2\x80\x99s controls over TSPs is generally included in Part 2,\n    Operations Security and Risk Management, under the section on vendor management.\n    Part 5 of the Officer\xe2\x80\x99s Questionnaire focuses on the institution\xe2\x80\x99s compliance with the\n    Interagency Guidelines and does not specifically include information pertaining to\n    TSPs.\n\n\xe2\x80\xa2    Snapshot Work Program - This examiner tool is used to guide examiner effort and\n     document conclusions reached in the course of an IT examination. The Snapshot\n     Work Program is tailored after the Officer\xe2\x80\x99s Questionnaire and provides\n     \xe2\x80\x9cquick reference guidance\xe2\x80\x9d to examiners. Part 2 of the Snapshot Work Program\n     contains guidance pertaining to the need for comprehensive contracts when\n\n9\n FIL-81-2005 entitled, Information Technology Risk Management Program (IT-RMP): New Information\nTechnology Examination Procedures, was issued August 18, 2005, notifying institutions of the new\nIT-RMP.\n\n\n                                                4\n\x0c   institutions use TSPs. It is important to note that examiners have considerable\n   discretion in supplementing the Snapshot Work Program with any other approved\n   FDIC or FFIEC work programs.\n\nReported Breaches of Security Related to Customer Information\n\nThe importance of protecting sensitive customer information at TSPs is underscored by\nthe number of data security breaches reported by financial institutions to the FDIC in\n2006. According to information obtained from the FDIC\xe2\x80\x99s security incident report,\napproximately 213 security breaches were reported at banks during the period January\n2006 though October 2006, of which approximately 125 (59 percent) involved TSPs.\nThese breaches included TSPs providing services to institutions for Internet banking,\ndebit and credit cards, automated teller machines, and network operating systems.\n\nRESULTS OF AUDIT\n\nThe FDIC has provided guidance to examiners for assessing financial institutions\xe2\x80\x99\noversight of TSPs. While we concluded that the 2001 examination guidance contained\ndetailed procedures for assessing compliance with the Interagency Guidelines related to\nTSPs, this guidance is not mandatory. IT-RMP guidance, which is mandatory, requires\nexaminers to consider the Interagency Guidelines in scoping examinations but does not\ndetail examination procedures for assessing compliance with the key controls over TSPs.\n Two of the four IT-RMP tools could be enhanced to provide information and\nexamination procedures for assessing the risks associated with protecting the security and\nconfidentiality of sensitive customer information when FDIC-supervised institutions use\nTSPs. Specifically, the IT-RMP Officer\xe2\x80\x99s Questionnaire, completed by institution\nmanagement, could request information about the financial institution\xe2\x80\x99s key controls over\nTSPs. Additionally, guidance in the Snapshot Work Program could specifically address\nkey controls in the Interagency Guidelines related to due diligence in the selection of\nTSPs, contract provisions, and ongoing monitoring of TSPs (see IT-RMP Guidance on\nFinancial Institutions\xe2\x80\x99 Controls Over TSPs).\n\nAll 12 examinations in our sample included assessments of the financial institutions\xe2\x80\x99\noversight of TSPs as required by IT-RMP, and most provided at least some coverage of\nthe key controls in the interagency guidelines. However, documentation for 10 of the 12\nexaminations did not contain sufficient written support that examiners had fully assessed\ninstitutions\xe2\x80\x99 compliance with the Interagency Guidelines regarding oversight of TSP\nprotection of customer information. The IT-RMP Snapshot Work Program provides\nexaminers considerable flexibility in tailoring IT examination procedures to the\ninstitution examined and does not specifically require examiners to test or document the\nextent of an institution\xe2\x80\x99s oversight of TSPs. As noted above, the IT-RMP guidance also\ndoes not include detailed examination procedures to assess compliance with the\nInteragency Guidelines related to TSPs (see Examiner Implementation of IT-RMP\nGuidance on Financial Institutions\xe2\x80\x99 Controls Over TSPs).\n\n\n\n\n                                            5\n\x0cThe FDIC can achieve greater assurance that financial institutions are ensuring the\nsecurity and confidentiality of customer information when using TSPs by enhancing IT-\nRMP guidance and IT examination documentation. Such assurance will help in\nprotecting customers from identity theft and institutions from fraud and reputational and\nother risks associated with unauthorized access or use of customer information.\n\nIT-RMP GUIDANCE ON FINANCIAL INSTITUTIONS\xe2\x80\x99 CONTROLS OVER\nTSPs\n\nIT-RMP guidance could be enhanced to increase assurance that examiners are thoroughly\nassessing how financial institutions ensure that their TSPs are safeguarding sensitive\ncustomer information. Specifically, two primary examiner tools for assessing compliance\nwith the Interagency Guidelines related to TSPs, the Officer\xe2\x80\x99s Questionnaire and\nSnapshot Work Program, could further ensure that examiners assess the three key\ncontrols of the Interagency Guidelines - due diligence, contract provisions, and ongoing\nmonitoring.\n\nOfficer\xe2\x80\x99s Questionnaire\n\nThe Officer\xe2\x80\x99s Questionnaire is an integral component of the IT-RMP and, when\ncompleted, serves as the financial institution\xe2\x80\x99s self-assessment of its information security\nprogram. For examiners, the questionnaire serves as a risk analysis and scoping tool to\nidentify strengths and weaknesses in the institution\xe2\x80\x99s information security program. The\n5-part Officer\xe2\x80\x99s Questionnaire contains 85 questions for completion by the financial\ninstitution (see the Background section of this report). The two parts of the questionnaire\nthat pertain to TSPs are discussed below.\n\nPart 2 of the Officer\xe2\x80\x99s Questionnaire, Operations Security and Risk Management, asks\nwhether the institution has a vendor management program. The question is intended to\nbe answered with a \xe2\x80\x9cYes\xe2\x80\x9d or \xe2\x80\x9cNo\xe2\x80\x9d response and does not request information on the\nvendor management program. As a result, the institution\xe2\x80\x99s response may not be\nparticularly useful for purposes of using the Officer\xe2\x80\x99s Questionnaire as a means to gain an\nunderstanding of the institution\xe2\x80\x99s risk management practices related to the protection of\nsensitive customer information by TSPs. Although the Snapshot Work Program provides\nmore detailed examination guidance in assessing compliance with the Interagency\nGuidelines related to TSPs, the Officer\xe2\x80\x99s Questionnaire is a risk-scoping tool that is\ncompleted earlier in the IT-RMP process and could be used more effectively to solicit\nsuch information as the nature and extent of the institution\xe2\x80\x99s use of TSPs to process\nsensitive customer information, risk assessments related to the use of TSPs, and\nsignificant changes in TSP relationships since the prior examination.\n\nPart 5 of the Officer\xe2\x80\x99s Questionnaire, Gramm-Leach-Bliley Act/FDIC Rules and\nRegulations \xe2\x80\x93 12 CFR Part 364, Appendix B, addresses compliance with the Interagency\nGuidelines. The IT-RMP guidance for the Officer\xe2\x80\x99s Questionnaire addresses whether\nbank management has developed a written information security program meeting the\nstandards of the Interagency Guidelines. The Questionnaire requests information on\n\n\n                                             6\n\x0cthose responsible for overseeing and implementing the security program, compliance\naudits, and the completion of employee awareness training related to the Interagency\nGuidelines. However, none of the five questions in Part 5 of the Officer\xe2\x80\x99s Questionnaire\nspecifically address oversight of TSPs. Further, three of the five questions are intended\nto be answered with only a \xe2\x80\x9cYes\xe2\x80\x9d or \xe2\x80\x9cNo\xe2\x80\x9d response. In our opinion, the questionnaire\ncould be improved by requesting information that describes the institution\xe2\x80\x99s information\nsecurity program as it relates to TSPs and the TSP-related security controls identified in\nthe Interagency Guidelines, such as: the due diligence process used in the selection of\nTSPs that have access to sensitive customer information, contract provisions that provide\nfor security programs at TSPs, and ongoing monitoring of the activities of service\nproviders with access to sensitive customer information. To facilitate completion of the\nQuestionnaire, the questions in Part 2 could be consolidated under Part 5, which\nspecifically relates to implementation of the Interagency Guidelines.\n\nSnapshot Work Program\n\nExaminers use the Snapshot Work Program both as a guide in performing the\nexamination and to document examiners\xe2\x80\x99 findings and conclusions. The guidance in the\nSnapshot Work Program provides examiners considerable flexibility in tailoring\nexamination procedures to the institution being examined. The Snapshot Work Program\nguidance encourages the use of appropriate portions of other FDIC and FFIEC\nexamination guidance, as needed, to reach conclusions about an institution\xe2\x80\x99s\neffectiveness in managing IT risk. Although not specifically referenced, other guidance\nwould include FIL-68-2001, previously discussed, which provides detailed examination\nprocedures for assessing compliance with the Interagency Guidelines related to TSPs.\nHowever, the Snapshot Work Program itself does not ensure that examiners assess the\nkey risks identified in the completed Officer\xe2\x80\x99s Questionnaire and associated with the\noversight of TSPs. Specifically, the Snapshot Work Program could be supplemented\nwith additional procedures for examiners to review due diligence, contract provisions and\nongoing monitoring in relation to the customer information security activities involving\nTSPs, as discussed below.\n\nSimilar to the Officer\xe2\x80\x99s Questionnaire, Part 2 of the Snapshot Work Program, Operations\nSecurity and Risk Management, asks whether the institution has a vendor management\nprogram. Part 2 of the Snapshot Work Program states:\n\n       Management should establish and maintain a formal vendor management program\n       that defines the framework for controlling the risks associated with key vendors\n       and service providers. For example, comprehensive contracts should be\n       established that include service level agreement, audit expectations, and\n       confidentiality/nondisclosure statements. In addition, the program should require\n       service providers and vendors to maintain security programs that comply with\n       requirements outlined within Part 364, Appendix B of the FDIC\xe2\x80\x99s Rules and\n       Regulations. In summary, the vendor management program should require\n       security standards that meet or exceed the bank\xe2\x80\x99s own standards. For additional\n       information, refer to the FFIEC Handbooks and FILs regarding this topic.\n\n\n                                            7\n\x0cWhile the above guidance is notable in that it addresses the need for a robust vendor\nmanagement program, comprehensive contracts with TSPs, and TSP-maintained\ncustomer information security programs, the guidance could be enhanced by more clearly\ndefining risk-based examination procedures for areas such as:\n\n   \xe2\x80\xa2   institution vendor management policies and procedures related to customer\n       information security, including risk assessment;\n   \xe2\x80\xa2   consideration by the institution of TSP measures to protect customer information\n       as part of due diligence in selecting TSPs;\n   \xe2\x80\xa2   contracts with service providers incorporating the Interagency Guidelines;\n   \xe2\x80\xa2   service provider reporting, including response to security compromises; and\n   \xe2\x80\xa2   institution management review of TSP audits, test results, and other security-\n       related evaluations and follow-up on corrective actions.\n\nPart 5 of the Snapshot Work Program, Gramm-Leach-Bliley Act/FDIC Rules and\nRegulations \xe2\x80\x93 12 CFR Part 364, Appendix B, addressing an institution\xe2\x80\x99s overall\ncompliance with the Interagency Guidelines includes the following:\n\n       An assessment of Part 364, Appendix B is mandatory at every examination.\n       Based on management responses and your assessment of the bank\xe2\x80\x99s risk\n       management practices, is management meeting Part 364, Appendix B\n       requirements?\n\nPart 5 also lists questions similar to those in Part 5 of the Officer\xe2\x80\x99s Questionnaire. This\nguidance is clear about the mandatory nature of coverage of the Interagency Guidelines\nas part of every examination and the importance DSC places on customer information\nsecurity. However, Part 5 of the Snapshot Work Program does not specifically mention\nTSPs and could be improved by including specific procedures for examiners to consider\nin determining whether an institution is complying with the TSP provisions of the\nInteragency Guidelines. Similar to our conclusion related to the Officer\xe2\x80\x99s Questionnaire,\nthe guidance in the Snapshot Work Program could also be consolidated under Part 5 of\nthe program, which is specifically related to implementation of the Interagency\nGuidelines. Consolidation of the procedures could help to ensure appropriate coverage of\nthe key controls in the Interagency Guidelines.\n\n\n\n\n                                             8\n\x0cEXAMINER IMPLEMENTATION OF IT-RMP GUIDANCE ON FINANCIAL\nINSTITUTIONS\xe2\x80\x99 CONTROLS OVER TSPs\n\nAll 12 examinations we reviewed included a review of the institutions\xe2\x80\x99 compliance with\nthe Interagency Guidelines, and most provided at least some coverage of key controls.\nHowever, documentation for 10 of 12 IT examinations did not contain sufficient written\nsupport that examiners had fully assessed financial institutions\xe2\x80\x99 compliance with the\nInteragency Guidelines regarding the oversight of TSPs in the three key control areas of\ndue diligence, contract provisions, and ongoing monitoring. These key controls provide\nfor the protection of customer information entrusted by the institution to the TSP.\nAssessments of these controls as part of an examination increase assurance that customer\ninformation is used by the TSP as intended by the institution. We based our conclusions\non a review of how examiners assessed 17 TSP-specific steps that we identified in the\nInteragency Guidelines and institution and examiner guidance related to the key control\nareas in the Interagency Guidelines (see Appendixes III and IV for our analysis of the\nspecific steps under the three key control areas). Also, we used existing DSC guidelines\nfor examination documentation to assess examiners\xe2\x80\x99 written support. In some cases,\nwhere we were unable to determine the extent of the examiner\xe2\x80\x99s assessment of financial\ninstitution compliance with the Interagency Guidelines, DSC obtained additional\ndocumentation from the financial institutions to facilitate our review.\n\nDocumentation of Examiner Procedures\n\nIn accordance with RDM 2001-039, Guidelines for Examination Workpapers and\nDiscretionary Use of Examination Documentation Modules, at a minimum, examiners\nshould summarize the documentation relied upon during their review and briefly detail\nthe procedures used and analysis conducted to support conclusions relative to significant\nareas of review. This guidance is applicable to examination coverage of institution\noversight of TSPs. In addition, examination documentation should (1) demonstrate a\nclear trail of decisions and supporting logic within a given area, (2) provide written\nsupport for examination and verification procedures performed and conclusions reached,\nand (3) support assertions of fact or opinion in the financial schedules and narrative\ncomments in the ROE. Furthermore, DSC\xe2\x80\x99s Risk Management Manual of Examination\nPolicies, Section 1.1-Basic Examination Concepts and Guidelines, states that\nexamination findings should be documented through a combination of brief summaries,\nbank source documents, ROE comments, and examination work papers that address both\nmanagement practices and financial institution condition.\n\nWe recognize that there is a need for flexibility in choosing examination procedures and\ndocumenting support for examination procedures. For example, if the contract between\nthe financial institution and its service providers had been reviewed in a separate\nexamination of the TSP or a prior examination, and the term of a TSP contract extends\ninto the period of the next examination cycle, there may not be a need for the IT examiner\nto review the contract again in the next IT examination. However, DSC should\nemphasize that examiners must clearly document decisions and the supporting logic for\nthe approach used for assessing compliance with the Interagency Guidelines and support\nfor conclusions reached on key controls, as discussed below. This will aid in ensuring\n\n                                            9\n\x0cthat risks are appropriately addressed in the current examination and in planning the\nscope for future examinations.\n\nDue Diligence\n\nThe Interagency Guidelines require that each financial institution exercises appropriate\ndue diligence in selecting its TSPs to help ensure that sensitive customer information is\nsafeguarded. For 8 of the 12 examinations, there was documentation of at least a limited\nassessment of due diligence. For 3 of the 12 IT\nexaminations, we found sufficient documentation              Due Diligence Controls Assessed\nthat examiners had assessed the financial\ninstitutions\xe2\x80\x99 due diligence in selecting TSPs,           9 Determine the adequacy of the TSP\xe2\x80\x99s\n                                                         controls to safeguard the bank\xe2\x80\x99s sensitive\nparticularly with regard to the protection of            customer information.\ncustomer information. Five examinations included 9 Conduct background checks on key\nlimited documentation that the financial                 personnel.\n                                                         9 Determine extent of TSP\xe2\x80\x99s use of\ninstitutions\xe2\x80\x99 compliance had been assessed;              subcontractors, and conduct due diligence\ntherefore, we could not conclude whether the             on subcontractors.\nexaminers\xe2\x80\x99 review confirmed that the institution\n                                                         Source: OIG Analysis of FDIC and\nhad:                                                     FFIEC Guidance.\n\n    \xe2\x80\xa2 determined the adequacy of a TSP\xe2\x80\x99s\n      controls to safeguard the bank\xe2\x80\x99s sensitive customer information;\n    \xe2\x80\xa2 conducted background checks on key personnel; and\n    \xe2\x80\xa2 determined the extent to which TSPs will use subcontractors, and if used, that the\n      bank had conducted due diligence on the subcontractors.\n\nThe remaining four examinations did not include documentation that the institutions\xe2\x80\x99\ncompliance with due diligence requirements had been assessed by the IT examiners.\n\nContract Provisions\n\nThe Interagency Guidelines mandate that each financial institution require its service\nproviders, by contract, to implement appropriate measures designed to:\n\n     \xe2\x80\xa2   ensure the security and confidentiality of customer information,\n     \xe2\x80\xa2   protect against any anticipated threats or hazards to the security of the\n         information,\n     \xe2\x80\xa2   protect against unauthorized access to or use of information that could result in\n         substantial harm or inconvenience to any customer, and\n     \xe2\x80\xa2   ensure the proper disposal of customer information.\n\n\n\n\n                                                 10\n\x0cTo ensure that institutions have adequate controls over sensitive customer information at\nTSPs, IT examiners should confirm that institutions have established controls with the\nTSPs through appropriate contract provisions. However, for 10 of the 12 IT\nexaminations we reviewed, there was limited or\nno documentation that examiners had confirmed\nthe institutions\xe2\x80\x99 protection of sensitive customer                  Contract Controls Assessed\n\ninformation at TSPs through all of the appropriate    9 Protection of the bank\xe2\x80\x99s data from unauthorized\ncontract provisions identified in TSP-related         access at the TSP.\n                                                      9 Incident response plan for unauthorized access and\nguidance. We based this conclusion on our             notification to the bank of a breach.\nreview of examination documentation and               9 Adequate disposal of the bank\xe2\x80\x99s sensitive customer\navailable TSP contracts, along with interviews of     information by the TSP.\n                                                      9 Adherence to regulatory guidance and requirements\nthe IT examiners who had conducted the work.          for the protection of sensitive customer information,\n                                                            including providing accurate information and timely\nIn reviewing the examiners\xe2\x80\x99 documentation of the            access to a bank\xe2\x80\x99s regulatory agency.\n                                                            9 Specific or custom information security standards\n12 IT examinations, we made the following                   required by the bank (i.e., encryption and use of\nobservations:                                               firewalls).\n                                                            9 Notification to the bank of subcontractor\n\xe2\x80\xa2   Evidence of review - Documentation for                  arrangements with the TSPs.\n                                                            9 Ownership of the bank\xe2\x80\x99s customer information,\n    three of the IT examinations did not contain            including the timely return of information at\n    any evidence of examiners\xe2\x80\x99 reviews of TSP               termination to the bank.\n                                                            9 Confidentiality of an institution\xe2\x80\x99s sensitive customer\n    contracts. Furthermore, the IT examiners                information.\n    could not recall whether any specific contracts         9 Types of evaluations, reviews, audits, or other\n    had been reviewed.                                      reports of the TSP\xe2\x80\x99s controls to protect sensitive\n                                                            customer information or the right of the bank to audit\n                                                            the TSP.\n\xe2\x80\xa2   Review of subcontractor arrangements -                  9 Determination on whether the institution\xe2\x80\x99s Legal\n    TSPs subcontract with other service providers           Counsel had reviewed the contract.\n    on occasion to perform portions of the               Source: OIG Analysis of FDIC and FFIEC Guidance.\n    services required by financial institutions. For\n    nine of the IT examinations, there was limited or no documentation that examiners\n    had ensured the financial institutions\xe2\x80\x99 contracts included provisions requiring TSPs to\n    notify the institutions of subcontractor arrangements with TSPs. Without\n    this contract provision, a financial institution may not be informed of other service\n    providers handling the institution\xe2\x80\x99s customer information and, therefore, cannot\n    adequately ensure the information is protected in accordance with the Interagency\n    Guidelines.\n\n\xe2\x80\xa2   Legal counsel review - For 10 examinations, we did not find support that the IT\n    examiners had ensured that the financial institution\xe2\x80\x99s legal counsel reviewed the\n    contracts. According to the FFIEC\'s Outsourcing Technology Services Handbook,\n    the contract is the single most important control in the outsourcing process, and\n    institutions should engage legal counsel early in the process to help prepare and\n    review the proposed contract.\n\nAlthough all the financial institutions in our sample employed TSPs, only 4 of the 12 sets\nof IT examination work papers we reviewed contained copies of TSP contracts. In total,\n\n\n\n                                                 11\n\x0cwe reviewed nine contracts contained in the IT examination work papers and concluded\nthat:\n\n     \xe2\x80\xa2 seven of the contracts did not contain provisions requiring an incident response\n       plan in the event of unauthorized access to sensitive customer information at the\n       TSP and notification to the bank; 10\n     \xe2\x80\xa2 six of the contracts did not include provisions for the TSPs\xe2\x80\x99 adequate disposal of\n       the bank\xe2\x80\x99s sensitive customer information; and\n     \xe2\x80\xa2 six of the contracts did not include provisions for evaluations, reviews, audits, or\n       reports on the TSP\xe2\x80\x99s controls to protect sensitive customer information or the\n       right of the bank to audit the TSP.\n\nWe also obtained four contracts from three additional institutions through DSC. We\nnoted that all four of these contracts lacked key provisions such as:\n\n     \xe2\x80\xa2 an incident response plan addressing unauthorized access to the bank\xe2\x80\x99s sensitive\n       customer information at the TSP and notification to the bank,\n     \xe2\x80\xa2 adequate disposal of the bank\xe2\x80\x99s sensitive customer information by the TSP, and\n     \xe2\x80\xa2 specific information security standards required by the institution.\nThese examples indicate that some financial institution contracts with TSPs could more\ncompletely address the service provider\xe2\x80\x99s responsibilities for the security and\nconfidentiality of customer information. Further, specific examination procedures could\naid examiners in the review of contract provisions for compliance with the Interagency\nGuidelines.\n\nOngoing Monitoring\n                                                                             Ongoing Monitoring Controls Assessed\nOngoing monitoring of TSPs entails understanding the                       9 Audit and regulatory reports of the TSP\xe2\x80\x99s\nscope and nature of the services sufficiently to identify and              general control environment, including\nappropriately react when the services provided are not at                  information security practices, standards, and\n                                                                           procedures for protecting the bank\xe2\x80\x99s sensitive\nthe level indicated in the agreement, no longer                            customer information.\nappropriately coordinate with the security controls at the                 9 Ensure that the TSP takes corrective action\ninstitution, or no longer provide the risk mitigation desired.             to address findings included in the audit and\n                                                                           regulatory reports of the TSP.\nThe Interagency Guidelines require banks to monitor their                  9 Conformance with specific or custom\nservice providers, where indicated by the bank\xe2\x80\x99s risk                      information security standards required by\nassessment, to confirm that service providers have satisfied               the bank and included in the contract.\n                                                                           9 Subcontractors\xe2\x80\x99 compliance with Part 364,\ntheir obligations as required by the contract. As part of the              Appendix B security requirements.\nbank\xe2\x80\x99s monitoring, it should review audits, summaries of\ntest results, or other equivalent evaluations of its service               Source: OIG Analysis of FDIC and FFIEC\n                                                                           Guidance.\n\n10\n  According to FIL-27-2005, Guidance on Response Programs for Unauthorized Access to Customer\nInformation and Customer Notice, when an incident of unauthorized access to sensitive customer\ninformation involves information systems maintained by a bank\xe2\x80\x99s TSP, it is the institution\xe2\x80\x99s responsibility\nto notify its customers and regulator. However, a bank may contract with its TSP to notify the institution\xe2\x80\x99s\ncustomers or regulator on its behalf.\n\n\n                                                     12\n\x0cproviders. For 9 of the 12 IT examinations we reviewed, we found support that\nexaminers had ensured that financial institutions were obtaining independent, external\nreviews of the TSPs. In these cases, the reviews were performed in accordance with the\nAmerican Institute of Certified Public Accountants Statement on Auditing Standards\nNo. 70 11 entitled, Reports on the Processing of Transactions by Service Organizations.\nThe reports of these reviews describe and, in some cases, document tests of the general\ncontrol environment and information security practices, standards, and procedures of the\nTSPs. However, we determined that there was limited or no support that examiners had\nassessed whether financial institutions ensured that TSPs took appropriate corrective\nmeasures to address findings identified in audits, summaries of test results, or other\nequivalent evaluations of TSPs. In the remaining three instances, there was limited or no\nsupport in the examination documentation that examiners had ensured that institutions\nwere obtaining independent, external reviews of TSPs.\n\nWe also noted that there was limited or no support in documentation for 8 of the12 IT\nexaminations for the examiners\xe2\x80\x99 assessment of whether subcontractors were being used\nby TSPs for processing customer information, and if so, whether the subcontractors were\nbeing monitored for compliance with the Interagency Guidelines. The potential use of\nsubcontractors to process customer information presents considerable risk to the security\nand confidentiality of the information that should be covered through the implementation\nof controls consistent with the Interagency Guidelines.\n\nOngoing monitoring of TSPs and their subcontractors by financial institutions helps to\nensure that the TSPs safeguard the institution\xe2\x80\x99s sensitive customer information.\nAccordingly, examiners should perform procedures to confirm whether financial\ninstitutions ensure that TSPs and their subcontractors conform to contractual customer\ninformation security requirements.\n\nCONCLUSION\n\nSafeguarding sensitive customer information is critical to ensuring that consumers are\nprotected from identity theft and institutions are protected from fraud and reputational\nand other risks. IT-RMP guidance could be enhanced to more specifically address key\nprovisions of the Interagency Guidelines pertaining to due diligence in the selection of\nTSPs, contract provisions covering TSP relationships, and ongoing monitoring of TSPs.\nThe IT-RMP guidance provides examiners considerable flexibility in tailoring\nexamination procedures. Much of the guidance for an IT examination is contained in\nvarious FDIC and FFIEC work programs. Accordingly, the FDIC can achieve greater\nassurance that financial institutions are adequately ensuring the security and\nconfidentiality of customer information when using TSPs by enhancing IT-RMP\nguidance and IT examination documentation.\n\n\n11\n  Statement on Auditing Standards No. 70 defines the professional standards used by an auditor to assess\nthe internal controls of a service organization. Service organizations, such as data centers, insurance claims\nprocessors, and credit processing companies, provide outsourcing services that affect the operation of the\ncontracting enterprise.\n\n\n                                                     13\n\x0cRECOMMENDATIONS\n\nWe recommend the Director, DSC:\n\n   1. Revise IT-RMP guidance to ensure that examiners adequately assess financial\n      institution compliance with the Interagency Guidelines provision pertaining to the\n      oversight of TSPs by:\n\n       \xe2\x80\xa2   Adding questions to the IT Examination Officer\xe2\x80\x99s Questionnaire that request\n           information on the (a) identification and risk assessment of all TSPs with\n           access to sensitive customer information and (b) compliance with the control\n           areas of due diligence, contract provisions, and ongoing monitoring.\n           Consideration should be given to consolidation of the questions pertaining to\n           the Interagency Guidelines under one part of the Officer\xe2\x80\x99s Questionnaire.\n\n       \xe2\x80\xa2   Amend the IT Snapshot Work Program to consolidate all guidance related to\n           compliance with the Interagency Guidelines under one section and to include\n           specific examination procedures to address the three TSP-related control areas\n           of due diligence, contract provisions, and ongoing monitoring contained in the\n           Interagency Guidelines. Consideration should be given to the TSP-specific\n           steps identified in Appendixes III and IV of this report.\n\n   2. Reemphasize the need for examiners to clearly document decisions and supporting\n      logic for the approach used in assessing compliance with the Interagency\n      Guidelines related to TSPs as well as support for examiner conclusions.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn January 29, 2007, the Director, DSC, provided a written response to a draft of this\nreport. DSC\xe2\x80\x99s response is presented in its entirety as Appendix V to this report. DSC\nagreed with both recommendations, noting that it is planning to evaluate the first year of\nperformance under the IT-RMP. This evaluation will incorporate our recommendations,\nand DSC will issue additional guidance where necessary. Additionally, DSC will\nreemphasize examination documentation requirements to examiners.\n\nDSC\xe2\x80\x99s actions are responsive to our recommendations. A summary of management\xe2\x80\x99s\nresponse to the recommendations is in Appendix VI. The recommendations are resolved\nbut will remain open until we have determined that agreed-to corrective actions have\nbeen completed and are effective.\n\n\n\n\n                                            14\n\x0c                                                                                            APPENDIX I\n\n\n                       OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe objective of this audit was to assess DSC\xe2\x80\x99s (1) IT examination procedures for\naddressing the security of sensitive customer information when FDIC-supervised\ninstitutions use TSPs and (2) examiners\xe2\x80\x99 implementation of those procedures. We\nconducted our audit in accordance with generally accepted government auditing\nstandards during the period April through November 2006.\n\nScope and Methodology\n\nThe audit focused on DSC\xe2\x80\x99s examination assessment of FDIC-supervised institutions\xe2\x80\x99\ncompliance with the Interagency Guidelines pertaining to the oversight of TSPs. To\naccomplish the audit objective, we evaluated relevant supervisory procedures for\nassessing TSP oversight consistent with RDM 2005-031, Information Technology-Risk\nManagement Program (IT-RMP). We also evaluated the IT-RMP guidance for\nconsistency with applicable federal laws, regulations, policies, and guidelines related to\nthe oversight of TSPs. Additionally, we considered other supplementary guidance such\nas FFIEC handbooks, industry best practices, and guidance issued by other regulators.\n\nWe coordinated our audit work with a separate FDIC OIG audit of IT-RMP, and both\naudits relied on the same sample of examinations. We selected a non-statistical 12 sample\nof 12 examinations from a total of 292 examinations conducted during the period January\nthrough March 2006, consisting of 4 examinations conducted in the FDIC\xe2\x80\x99s New York\nRegion, 4 in the San Francisco Region, and 4 in the Kansas City Region.\n\nWe selected our sample from the New York, Kansas City, and San Francisco regions\nbased on the following considerations.\n\n\xe2\x80\xa2    The New York Region had the largest dollar-value financial institutions in our sample\n     population.\n\xe2\x80\xa2    The Kansas City Region had the largest number of financial institutions in our sample\n     population.\n\xe2\x80\xa2    The San Francisco Region had the most widely dispersed financial institutions in our\n     sample population.\n\nWe discussed our proposed sample with DSC management to explain our methodology\nand to ensure that our sample would produce meaningful results. DSC provided\nsuggestions regarding which regional offices, IT composite ratings, and institution asset\nsizes we should consider in selecting our sample.\n\n\n\n12\n   The results of a non-statistical sample cannot be projected to the intended population by standard\nstatistical methods.\n\n\n\n                                                     15\n\x0c                                                                            APPENDIX I\n\nFurther, we interviewed DSC staff who had responsibilities for establishing and\nimplementing the IT-RMP. We also did the following:\n\n   \xe2\x80\xa2   Assessed policies and procedures developed and used by DSC for examining IT\n       security risks when institutions use TSPs.\n   \xe2\x80\xa2   Reviewed DSC\xe2\x80\x99s criteria in IT-RMP guidance for categorizing IT security risks in\n       financial institutions with TSPs.\n   \xe2\x80\xa2   Conducted interviews with IT examination specialists and IT examiners.\n   \xe2\x80\xa2   Reviewed applicable laws and regulations and FDIC policies, procedures, and\n       directives.\n   \xe2\x80\xa2   Reviewed FFIEC guidance, including Outsourcing Technology Services (June\n       2004), Supervision of Technology Service Providers (March 2003), Information\n       Security (December 2002 and July 2006 revision), Business Continuity Planning\n       (March 2003), and Audit (August 2003), which are 5 of 12 booklets that, in total,\n       comprise the FFIEC Information Technology Handbook.\n\nInternal Controls\n\nWe identified, gained an understanding of, and evaluated selected internal controls over\nthe establishment and implementation of supervisory procedures that addressed the\nFDIC-supervised institutions\' management of IT security risks. We reviewed the FDIC\xe2\x80\x99s\n(1) policies and procedures related to the oversight of TSPs and the protection of\nsensitive customer information and (2) applicable policies and procedures in the FDIC\nRules and Regulations, Regional Directors Memoranda, FILs, and FFIEC IT examination\nand supervision guidance. We also interviewed DSC individuals involved in IT\nexaminations. This report discusses internal control concerns, identified during our audit,\nthat relate to IT-RMP guidance.\n\nReliance on Computer-Based Data\n\nWe obtained certain data from DSC\xe2\x80\x99s information system to identify IT examinations\nconducted subsequent to the August 15, 2005 implementation of the IT-RMP and data\nsecurity breaches reported for the period January through October 2006. We did not\nassess the reliability of the computer-based data because these data were not significant\nto our findings, conclusions, or recommendations.\n\nGovernment Performance and Results Act\n\nThe Government Performance and Results Act of 1993 directs federal agencies to\ndevelop a strategic plan and annual performance plans to help improve federal program\neffectiveness and service delivery. We reviewed the FDIC\xe2\x80\x99s Strategic Plan for 2005-\n2010 and the FDIC 2006 Annual Performance Plan. We determined that the FDIC did\nnot have a strategic goal or objective specifically related to IT examinations. However,\nthe means and strategies the FDIC uses to achieve a strategic goal that FDIC-supervised\ninstitutions are safe and sound includes IT examinations in general, as stated in the FDIC\n2006 Annual Performance Plan:\n\n\n                                            16\n\x0c                                                                               APPENDIX I\n\n       The FDIC also continues to focus on the risks posed by technology. Both onsite\n       risk management and information technology examinations cover technology-\n       related activities to determine how each FDIC-supervised depository institution\n       manages risk in that area. The FDIC uses a monitoring system to proactively\n       identify and assess indicators of technology risks that may impact FDIC-\n       supervised institutions. The FDIC will also augment its general training\n       curriculum for examiners to include more training on technology issues and the\n       Information Technology Examination Course, which teaches examiners how to\n       better integrate technology risk management, will be revised as a result of the\n       IT-RMP.\n\nWe did not assess IT-RMP training as part of this audit. Rather, we provided coverage of\nIT-RMP training in a separate audit assignment that was ongoing at the completion of our\nfieldwork (for details, see the section entitled, Prior Audit Coverage).\n\nFraud and Illegal Acts\n\nWe did not develop specific audit procedures to detect fraud and illegal acts because they\nwere not considered material to the audit objectives. However, throughout the audit, we\nwere alert to the possibility for fraud and illegal acts, and none came to our attention.\n\nLaws and Regulations\n\nIn conducting the audit, we considered the following laws and regulations, as well as\nadditional laws and regulations identified in Appendix II.\n\n\xe2\x80\xa2    GLBA provides for the protection of nonpublic personal information. Each\n     financial institution has an obligation to respect the privacy of its customers and to\n     protect the security and confidentiality of those customers\xe2\x80\x99 nonpublic personal\n     information. Each financial institution must establish administrative, technical, and\n     physical safeguards to ensure the confidentiality of customer records and\n     information; to protect against any anticipated threats or hazards to the security or\n     integrity of such records; and to protect against unauthorized access to or use of\n     such records or information which could result in substantial harm or inconvenience\n     to any customer.\n\n\xe2\x80\xa2    Fair and Accurate Credit Transactions (FACT) Act. This Act amends the Fair\n     Credit Reporting Act by adding provisions covering identity theft, consumers\xe2\x80\x99\n     access to credit information, enhanced consumer report accuracy, and financial\n     literacy. The statutes prescribe financial institutions\xe2\x80\x99 responsibilities for protecting\n     consumer information and sharing it with other entities.\n\n\xe2\x80\xa2    Federal Deposit Insurance (FDI) Act Section 10 - Provisions Related to\n     Examination Authority. The FDI Act requires the FDIC to perform periodic "full\n     scope" examinations of FDIC-supervised institutions. IT examinations are included\n     as part of a \xe2\x80\x9cfull scope" examination.\n\n\n                                             17\n\x0c                                                                             APPENDIX I\n\n\n\xe2\x80\xa2    FDIC Rules and Regulations, Part 364, Appendix B - Interagency Guidelines\n     Establishing Information Security Standards. These standards require financial\n     institutions to conduct appropriate due diligence in selecting service providers;\n     require service providers, by contract, to implement appropriate measures to protect\n     customer information; and monitor service providers.\n\nPrior Audit Coverage\n\nAudit Report No. 06-015, FDIC\xe2\x80\x99s Oversight of Technology Service Providers, issued\nJuly 20, 2006. The objective was to assess the FDIC\xe2\x80\x99s examination coverage of TSPs\nand related efforts to protect sensitive customer information. The report made six\nrecommendations for the FDIC to: (1) better identify and monitor TSPs with access to\nsensitive customer information and (2) improve the process the FDIC uses (in\nconjunction with the other FFIEC agencies) for assessing the risks posed by, and\nprioritizing for examination, those TSPs with access to sensitive customer information.\nDSC\xe2\x80\x99s response and proposed actions were sufficient to resolve each recommendation.\n\nAudit Report No. 07-002, The Division of Supervision and Consumer Protection\xe2\x80\x99s\nInformation Technology-Risk Management Program, issued January 10, 2007. The\nobjective was to determine whether the FDIC had established and implemented adequate\nprocedures for addressing IT security risks at FDIC-supervised institutions that offer\nelectronic banking products and services. The report made seven recommendations to\nenhance the tools and guidance under the IT-RMP methodology and the IT training\nprograms. FDIC management generally agreed with our recommendations and will\nreview the tools, guidance, and training programs as part of an evaluation of the first year\nof performance under the IT-RMP program and will issue revised guidance or make\nenhancements as deemed necessary.\n\n\n\n\n                                             18\n\x0c                                                                                           APPENDIX II\n\n\n           SELECTED LAWS, REGULATIONS, AND GUIDANCE\n       RELATED TO TSP PROTECTION OF CUSTOMER INFORMATION\n\n\nLaws                                       Provisions\n15 United States Code (U.S.C.) 6801        GLBA provides for the protection of nonpublic personal information by\nGramm-Leach-Bliley Act (GLBA)              establishing: (a) privacy obligation policy - it is the policy of the\n                                           Congress that each financial institution has an affirmative and continuing\n                                           obligation to respect the privacy of its customers and to protect the\n                                           security and confidentiality of those customers\xe2\x80\x99 nonpublic personal\n                                           information; and (b) financial institutions\xe2\x80\x99 safeguards. In furtherance of\n                                           the policy in subsection (a) of this section, each agency or authority\n                                           described in section 6805(a) of this title shall establish appropriate\n                                           standards for financial institutions subject to their jurisdiction relating to\n                                           administrative, technical, and physical safeguards: (1) to ensure the\n                                           security and confidentiality of customer records and information; (2) to\n                                           protect against any anticipated threats or hazards to the security or\n                                           integrity of such records; and (3) to protect against unauthorized access\n                                           to or use of such records or information which could result in substantial\n                                           harm or inconvenience to any customer. As mandated by this law,\n                                           interagency examination guidelines and procedures were developed to\n                                           address standards for developing and implementing administrative,\n                                           technical, and physical safeguards to protect the security, confidentiality,\n                                           and integrity of customer information.\nRegulations\n12 C.F.R. Part 332, Privacy of Consumer    (a) Purpose. Part 332 governs the treatment of nonpublic personal\nFinancial Information                      information about consumers by the financial institutions listed in\n                                           paragraph (b) of this section. This part:\n                                              (1) Requires a financial institution to provide notice to customers\n                                           about its privacy policies and practices.\n                                              (2) Describes the conditions under which a financial institution may\n                                           disclose nonpublic personal information about consumers to nonaffiliated\n                                           third parties.\n                                              (3) Provides a method for consumers to prevent a financial institution\n                                           from disclosing that information to most nonaffiliated third parties by\n                                           \xe2\x80\x9copting out\xe2\x80\x9d of that disclosure, subject to the exceptions in \xc2\xa7\xc2\xa7 332.13,\n                                           332.14, and 332.15.\n                                           (b) Scope. (1) Part 332 applies only to nonpublic personal information\n                                           about individuals who obtain financial products or services primarily for\n                                           personal, family, or household purposes. This part does not apply to\n                                           information about companies or about individuals who obtain financial\n                                           products or services for business, commercial, or agricultural purposes.\n                                           This part applies to the United States offices or entities for which the\n                                           FDIC has primary supervisory authority.\n12 C.F.R. Part 364, Standards for Safety    (a) General standards. The Interagency Guidelines Establishing\nand Soundness, Appendix B, Interagency     Security Standards prescribed pursuant to section 39 of the FDI Act (12\nGuidelines Establishing Information        U.S.C. 1831p--1), as set forth in Appendix A to this part, apply to all\nSecurity Standards                         insured state nonmember banks and to state-licensed insured branches of\n                                           foreign banks that are subject to the provisions of section 39 of the FDI\n                                           Act.\n                                            (b) Interagency Guidelines Establishing Information Security\n                                           Standards. These guidelines, prescribed pursuant to section 39 of the\n                                           FDI Act (12 U.S.C. 1831p--1) and sections 501 and 505(b) of GLBA (15\n                                           U.S.C. 6801, 6805(b)), and with respect to the proper disposal of\n                                           consumer information requirements pursuant to section 628 of the Fair\n\n\n                                                    19\n\x0c                                                                                      APPENDIX II\n\n                                        Credit Reporting Act (15 U.S.C. 1681w), as set forth in Appendix B to\n                                        this part, apply to all insured state nonmember banks, insured state-\n                                        licensed branches of foreign banks, and any subsidiaries of such entities\n                                        (except brokers, dealers, persons providing insurance, investment\n                                        companies, and investment advisers).\nInteragency Guidance\nFIL-81-2000, FFIEC Guidance on          Through the FFIEC, the regulators issued this guidance on key\nManaging Risks Associated With          management issues when outsourcing technology. These issues include\nOutsourcing Technology Services         risk assessment, service provider selection, contract terms, and oversight\nNovember 2000                           of outsourcing arrangements. The guidance is intended to assist financial\n                                        institutions that are increasingly relying on outside firms for technology-\n                                        related products and services to support an array of banking functions.\n                                        Institutions of all sizes are using these products and services, as\n                                        technology grows more complex and dynamic, creating a greater impetus\n                                        to outsource.\nFIL-22-2001, Security Standards For     The purpose of this FIL was to identify, establish, approve, and issue\nCustomer Information                    joint guidelines establishing standards for safeguarding customer\nMarch 2001                              information as required by GLBA. The guidelines provide expectations\n                                        for creating, implementing, and maintaining an information security\n                                        program and the oversight and continuing duty of the institution\xe2\x80\x99s board\n                                        of directors to identify and assess the risks that may threaten customer\n                                        information. In addition, the FIL requires that the institution develop a\n                                        written plan containing policies and procedures to manage and control\n                                        risk; implement and test the plan; and adjust the plan on a continuing\n                                        basis to account for changes in technology, sensitivity of customer\n                                        information; and internal or external threats to information security.\nFIL-50-2001, Bank Technology Bulletin   Contained in this FIL are documents that were provided to FDIC-\non Outsourcing                          supervised institutions, providing practical information to community\nJune 2001                               banks on how to select service providers, draft contract terms, and\n                                        oversee multiple service providers when outsourcing for technology\n                                        services and products.\nFIL-68-2001, 501(b) Examination         This FIL provides joint examination procedures to evaluate sensitive\nGuidance                                customer information in accordance with GLBA 501(b), which identifies\nAugust 2001                             the standards to ensure the security and confidentiality of customer\n                                        information; protect against any anticipated threats or hazards to the\n                                        security or integrity of such information; and protect against\n                                        unauthorized access to or use of customer information that could result in\n                                        substantial harm or inconvenience to any customer.\nFIL-89-2004, FFIEC Information          The FFIEC has issued booklets with guidance on evaluating management\nTechnology Examination Handbook         and outsourcing technology services. The FIL states that \xe2\x80\x9coutsourcing of\nJuly 2004                               an activity does not relieve management and the board of directors of\n                                        their responsibility to ensure the institution\xe2\x80\x99s data are processed in a\n                                        secure environment and to maintain data integrity.\xe2\x80\x9d\nFIL-81-2005, Information Technology     The FIL announced the FDIC\xe2\x80\x99s implementation of the new IT-RMP for\nRisk Management Program (IT-RMP)        conducting IT examinations of FDIC-supervised financial institutions.\nExamination Procedures,                 IT-RMP examination procedures apply to all FDIC-supervised banks,\nAugust 2005                             regardless of size, technical complexity, or prior examination rating. The\n                                        FIL also advised that the former IT-MERIT procedures and related work\n                                        programs have been rescinded.\n\n\n\n\n                                                20\n\x0c                                                                                       APPENDIX II\n\n\nFFIEC IT Examination Handbook,           Provides guidance and examination procedures to assist examiners and\nOutsourcing Technology Services,         bankers in evaluating a financial institution\xe2\x80\x99s risk management processes\nJune 2004                                to establish, manage, and monitor IT outsourcing relationships.\nFFIEC IT Examination Handbook,           This booklet governs the supervision of TSPs and briefly summarizes the\nSupervision of Technology Service        FFIEC member agencies\xe2\x80\x99 (agencies) expectations of financial institutions\nProviders,                               in the oversight and management of their TSP relationships. This\nMarch 2003                               booklet outlines the agencies\xe2\x80\x99 risk-based supervision approach, the\n                                         supervisory process, and the examination ratings used for TSPs. In\n                                         addition, this booklet discusses two special IT-related programs\n                                         administered by the agencies: the Multi-Regional Data Processing\n                                         Servicer Program, geared towards examining large TSPs and the Shared\n                                         Application Software Review Program aimed at reviewing mission-\n                                         critical software packages.\nFFIEC IT Examination Handbook,           This booklet provides guidance to examiners and organizations on\nInformation Security                     assessing the level of security risks to the organization and evaluating the\nJuly 2006                                adequacy of the organization\xe2\x80\x99s risk management.\nFFIEC IT Handbook, Audit,                This booklet replaces and rescinds Chapter 8 of the 1996 FFIEC\nAugust 2003                              Information Systems Examination Handbook. It is used by agency\n                                         examiners as a foundation from which they can assess the quality and\n                                         effectiveness of an institution\xe2\x80\x99s IT audit program. It describes the roles\n                                         and responsibilities of the board of directors, management, and internal\n                                         or external auditors; identifies effective practices for IT audit programs;\n                                         and details examination objectives and procedures. Agency examiners\n                                         will use the examination procedures in Appendix A to assess the\n                                         adequacy of IT audit programs at both financial institutions and TSPs.\n                                         The examination guidance and procedures in this booklet focus on IT\n                                         audit and supplement other, more general, internal and external audit\n                                         guidance provided by the agencies.\nFair and Accurate Credit Transactions    The OCC, FDIC, Federal Reserve, and OTS adopted a final rule to\n(FACT) Act Implementation                implement section 216 of the FACT Act by amending the Interagency\n                                         Guidelines Establishing Information Security Standards. The final rule\n                                         generally requires each financial institution to develop, implement, and\n                                         maintain, as part of its existing information security program, appropriate\n                                         measures to properly dispose of consumer information derived from\n                                         consumer reports.\nDSC - Regional Directives\nDSC Internal Control Field Territory \xe2\x80\x93   This represents the work program for RDM 2005-031, Information\nModule 3b: Information Technology        Technology Risk Management Program. This work program should be\nExaminations (August 15, 2005)           used for examinations starting after August 15, 2005.\nRDM 2005-031 \xe2\x80\x93 Information               The IT-RMP represents a new approach for conducting IT examinations\nTechnology Risk Management Program       at all FDIC-supervised financial institutions, regardless of size or\n(IT-RMP)                                 complexity. Using the new IT-RMP procedures, examiner focus shifts\n                                         from historic-based technology and control reviews to assessing\n                                         management and IT risk management practices as communicated\n                                         through a financial institution\xe2\x80\x99s formal information security program.\nRDM 2004-014 \xe2\x80\x93 Information               The IT General Work Program, issued through this RDM, was revised to\nTechnology General Work Program          include additional guidance to examiners for a) Appendix B, Part 364, of\nRevision                                 the FDIC Rules and Regulations; b) imaging technology; and c) wireless\n                                         technology.\n\n\n\n\n                                                 21\n\x0c                                                                                    APPENDIX II\n\n\nRDM 2004-002 \xe2\x80\x93 Report Treatment of      To ensure consistency in reporting financial institutions\xe2\x80\x99 compliance\nCompliance with the Interagency         with the Interagency Guidelines, all safety and soundness and separate-\nGuidelines Establishing Standards for   cover IT ROEs should include a comment regarding the subject\nSafeguarding Customer Information       institution\xe2\x80\x99s compliance with the guidelines - 12 C.F.R. Part 364,\n                                        Appendix B. In the event of serious noncompliance, examiners should\n                                        document that the financial institution fails to meet the standards\n                                        prescribed under this section of the Interagency Guidelines Establishing\n                                        Standards for Safeguarding Customer Information. Examiners should\n                                        not include comments to the effect that the bank \xe2\x80\x9cis in violation of the\n                                        Guidelines\xe2\x80\x9d or is being \xe2\x80\x9ccited for a violation of the Guidelines.\xe2\x80\x9d\nRDM 2001-039 \xe2\x80\x93 Guidelines for           Examination findings should be documented using a combination of brief\nExamination Work Papers and             summaries, bank source documents, report comments, and other\nDiscretionary Use of Examination        examination work papers that address both management practices and\nDocumentation Modules                   condition.\nDSC Examination Manual, Section 1.1,    Examination documentation should demonstrate a clear trail of decisions\nBasic Examination Concepts and          and supporting logic within a given area. Documentation should provide\nGuidelines                              written support for examination and verification procedures performed\n                                        and conclusions reached and support the assertions of fact or opinion in\n                                        the financial schedules and narrative comments in the ROE.\n\n\n\n\n                                                22\n\x0c                                                                                                                                              APPENDIX III\n                         ANALYSIS OF EXAMINER DOCUMENTATION OF INSTITUTION COMPLIANCE WITH\n                           INTERAGENCY GUIDELINES IN RELATION TO THREE KEY CONTROL AREAS\n\nThree Key Control Areas Reviewed                         Bank 1 Bank 2   Bank 3   Bank 4   Bank 5   Bank 6   Bank 7   Bank 8   Bank 9   Bank 10   Bank 11   Bank 12\nDue Diligence\n1. Determine the adequacy of the TSP\xe2\x80\x99s controls to\n                                                          N       N        Y        N        Y        N        N        N        N        N         Y         N\nsafeguard the bank\xe2\x80\x99s sensitive customer information.\n2. Conduct background checks on key personnel.            N       N        Y        N        Y        N        N        N        N        N         Y         N\n3. Determine the extent of the TSP\xe2\x80\x99s use of\nsubcontractors, and conduct due diligence on              N       N        Y        N        Y        N        N        N        N        N         Y         N\nsubcontractors.\nContract Provisions\n4. Protection of the bank\xe2\x80\x99s data from unauthorized\n                                                          Y       N        Y        N        Y        N        N        N        N        N         Y         N\naccess at the TSP.\n5. Incident response plan for unauthorized access and\n                                                          N       N        Y        N        Y        N        N        N        N        N         Y         N\nnotification to the bank of breach.\n6. Adequate disposal of the bank\xe2\x80\x99s sensitive customer\n                                                          N       N        Y        N        Y        N        N        N        N        N         Y         N\ninformation by the TSP.\n7. Adherence to regulatory guidance and\nrequirements for the protection of sensitive customer\n                                                          Y       N        Y        N        Y        N        N        N        N        N         Y         N\ninformation, including providing accurate information\nand timely access to a bank\xe2\x80\x99s regulatory agency.\n8. Specific or custom information security standards\nrequired by the bank (i.e., 128-bit encryption, use of    N       N        Y        N        Y        N        N        N        N        N         Y         N\nfirewalls).\n9. Notification to the bank of subcontractor\n                                                          N       N        Y        N        Y        N        N        N        N        N         Y         N\narrangements with the TSPs.\n10. Ownership of the bank\xe2\x80\x99s customer information,\nincluding the timely return of information at contract    N       N        Y        N        Y        N        N        N        N        N         Y         N\ntermination to the bank.\n11. Confidentiality of an institution\xe2\x80\x99s sensitive\n                                                          N       N        Y        N        Y        Y        N        N        N        N         Y         N\ncustomer information.\n12. Types of evaluations, reviews, audits, or other\nreports of the TSP\xe2\x80\x99s controls to protect sensitive\n                                                          N       N        Y        N        Y        N        N        N        N        N         N         N\ncustomer information or the right of the bank to audit\nthe TSP.\n13. Determine whether the institution\xe2\x80\x99s Legal\n                                                          N       N        Y        N        Y        N        N        N        N        N         N         N\nCounsel had reviewed the contract.\nLegend: Y = Sufficient documentation.\n          N = Limited or no documentation.\n\n\n\n                                                                                  23\n\x0c                                                                                                                                           APPENDIX III\n\n\n\n\n                                                     Bank     Bank     Bank     Bank     Bank     Bank     Bank     Bank     Bank     Bank     Bank     Bank\nThree Key Control Areas Reviewed\n                                                      1        2        3        4        5        6        7        8        9        10       11       12\nOngoing Monitoring\n14. Audit and regulatory reports on the TSP\xe2\x80\x99s\ngeneral control environment, including information\n                                                       Y       N      Y       N         Y         Y       Y         Y        Y         Y         N         Y\nsecurity practices, standards, and procedures for\nprotecting the bank\xe2\x80\x99s sensitive customer information.\n15. Ensure that the TSP takes corrective action to\naddress findings included in the audit and regulatory  N       N      Y       N         Y         N       N         Y        N         Y         N         N\nreports on the TSP.\n16. Conformance with specific or custom\ninformation security standards required by the bank    Y       N      Y       N         Y         N       N         Y        N         Y         N         N\nand included in the contract.\n17. Subcontractors\xe2\x80\x99 compliance with Part 364,\n                                                       N       N      Y       N         Y         N       N         Y        N         Y         N         N\nAppendix B, security requirements.\n  Source: OIG analysis of 12 IT examinations sampled. We used FDIC RDM 2001-039 as the basis for making our determinations with regard to the sufficiency of\n  documentation.\n\n\n\n\n                                                                                24\n\x0c                                                                                 APPENDIX IV\n                  SUMMARY ANALYSIS OF EXAMINER\n           DOCUMENTATION OF INSTITUTION COMPLIANCE WITH\n            INTERAGENCY GUIDELINES IN RELATION TO THREE\n                        KEY CONTROL AREAS\n                                                               Sufficient     Limited or No\n            Three Key Control Areas Reviewed                 Documentation   Documentation\n                                                                 Number of Examinations\n Due Diligence\n 1. Determine the adequacy of the TSP\xe2\x80\x99s controls to safeguard            3             9\n   the bank\xe2\x80\x99s sensitive customer information.\n 2. Conduct background checks on key personnel.                          3             9\n 3. Determine the extent of the TSP\xe2\x80\x99s use of subcontractors,\n                                                                         3             9\n   and conduct due diligence on subcontractors.\n Contract Provisions\n 4. Protection of the bank\xe2\x80\x99s data from unauthorized access at\n                                                                         4             8\n   the TSP.\n 5. Incident response plan for unauthorized access and\n                                                                         3             9\n   notification to the bank of breach.\n 6. Adequate disposal of the bank\xe2\x80\x99s sensitive customer\n                                                                         3             9\n   information by the TSP.\n 7. Adherence to regulatory guidance and requirements for the\n   protection of sensitive customer information, including\n                                                                         4             8\n   providing accurate information and timely access to a\n   bank\xe2\x80\x99s regulatory agency.\n 8. Specific or custom information security standards required\n                                                                         3             9\n   by the bank (i.e., 128-bit encryption, use of firewalls).\n 9. Notification to the bank of subcontractor arrangements\n                                                                         3             9\n   with the TSPs.\n10. Ownership of the bank\xe2\x80\x99s customer information, including\n   the timely return of information at contract termination to           3             9\n   the bank.\n11. Confidentiality of an institution\xe2\x80\x99s sensitive customer\n                                                                         4             8\n   information.\n12. Types of evaluations, reviews, audits, or other reports of\n   the TSP\xe2\x80\x99s controls to protect sensitive customer information          2            10\n   or the right of the bank to audit the TSP.\n13. Determine whether the institution\xe2\x80\x99s Legal Counsel had\n                                                                         2            10\n   reviewed the contract.\n Ongoing Monitoring\n14. Audit and regulatory reports on the TSP\xe2\x80\x99s general control\n   environment, including information security practices,\n                                                                         9             3\n   standards, and procedures for protecting the bank\xe2\x80\x99s\n   sensitive customer information.\n15. Ensure that the TSP takes corrective action to address\n   findings included in the audit and regulatory reports on the          4             8\n   TSP.\n16. Conformance with specific or custom information security\n                                                                         5             7\n   standards required by the bank and included in the contract.\n17. Subcontractors\xe2\x80\x99 compliance with Part 364, Appendix B,\n                                                                         4             8\n   security requirements.\n Source: OIG analysis of 12 IT examinations sampled. We used FDIC RDM 2001-039 as the basis for\n making our determinations with regard to the sufficiency of documentation.\n\n\n\n\n                                                 25\n\x0c                       APPENDIX V\n\n\n\nCORPORATION COMMENTS\n\x0c     APPENDIX V\n\n\n\n\n27\n\x0c                                                                                                                                               APPENDIX VI\n\n\n                                           MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\n\nThis table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report\nissuance.\n                                                                                                                                                  Open\n                                                                                                                                         a\n Rec.                                                                                  Expected              Monetary        Resolved:             or\nNumber               Corrective Action: Taken or Planned/Status                     Completion Date          Benefits        Yes or No           Closedb\n              DSC is planning an evaluation of the first year of\n      1       performance under the IT-RMP program. DSC will                        September 30, 2007          N/A               Yes             Open\n              incorporate the recommendations into its evaluation and\n              issue additional guidance where necessary.\n              DSC will re-emphasize examination documentation\n      2       requirements.                                                          March 30, 2007             N/A               Yes             Open\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                   as management provides an amount.\nb\n    Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\n\n\n\n                                                                               28\n\x0c'